RFC2230
RFC2308
RFC2536
- RFC2538
RFC2539
- RFC2671
- RFC2672
- RFC2673
RFC2782
RFC2915
RFC2930
RFC4074
RFC4255
RFC4294 - Section 5.1 [8]
+ RFC4343
+ RFC4398
+ RFC4408
+ RFC4431
+ RFC4470 [9]
+ RFC4509
+ RFC4635
+ RFC4701
+ RFC4892
+ RFC4955 [10]
+ RFC5001
+ RFC5011
+ RFC5155
+ RFC5205
+ RFC5452 [11]
+ RFC5702
+ RFC5933 [12]
+ RFC5936
+ RFC5952
+ RFC5966
+ RFC6052
+ RFC6147 [13]
+ RFC6303
+ RFC6605 [14]
+ RFC6672
+ RFC6698
+ RFC6742
+ RFC6840 [15]
+ RFC6844
+ RFC6891
+ RFC7314
+ RFC7314
The following DNS related RFC have been obsoleted
RFC2535 (Obsoleted by 4034, 4035) [3] [4]
RFC2537 (Obsoleted by 3110)
+ RFC2538 (Obsoleted by 4398)
+ RFC2671 (Obsoleted by 6891)
+ RFC2672 (Obsoleted by 6672)
+ RFC2673 (Obsoleted by 6891)
RFC3008 (Obsoleted by 4034, 4035)
RFC3152 (Obsoleted by 3596)
RFC3445 (Obsoleted by 4034, 4035)
[1] Queries to zones that have failed to load return SERVFAIL rather
than a non-authoritative response. This is considered a feature.
-[2] CLASS ANY queries are not supported. This is considered a feature.
+[2] CLASS ANY queries are not supported. This is considered a
+feature.
[3] Wildcard records are not supported in DNSSEC secure zones.
-[4] Servers authoritative for secure zones being resolved by BIND 9
-must support EDNS0 (RFC2671), and must return all relevant SIGs and
-NXTs in responses rather than relying on the resolving server to
-perform separate queries for missing SIGs and NXTs.
+[4] Servers authoritative for secure zones being resolved by BIND
+9 must support EDNS0 (RFC2671), and must return all relevant SIGs
+and NXTs in responses rather than relying on the resolving server
+to perform separate queries for missing SIGs and NXTs.
-[5] When receiving a query signed with a SIG(0), the server will only
-be able to verify the signature if it has the key in its local
+[5] When receiving a query signed with a SIG(0), the server will
+only be able to verify the signature if it has the key in its local
authoritative data; it will not do recursion or validation to
retrieve unknown keys.
everywhere with or without --with-idn.
[8] Section 5.1 - DNAME records are fully supported.
+
+[9] Minimally Covering NSEC Record are accepted but not generated.
+
+[10] Will interoperate with correctly designed experiments.
+
+[11] Named only uses ports to extend the id space, address are not
+used.
+
+[12] Conditional on the OpenSSL library being linked against
+supporting GOST.
+
+[13] Section 5.5 does not match reality. Named uses the presence
+of DO=1 to detect if validation may be occuring. CD has no bearing
+on whether validation is occuring or not.
+
+[14] Conditional on the OpenSSL library being linked against
+supporting ECDSA.
+
+[15] Section 5.9 - Always set CD=1 on queries. This is *not* done as
+it prevents DNSSEC working correctly through another recursive server.
+
+When talking to a recurive server the best algorithm to do is send
+CD=0 and then send CD=1 iff SERVFAIL is returned in case the recurive
+server has a bad clock and/or bad trust anchor. Alternatively one
+can send CD=1 then CD=0 on validation failure in case the recursive
+server is under attack or there is stale / bogus authoritative data.